Overview

overview

10

Static

static

bacd5989c0...d6.exe

windows7_x64

10

bacd5989c0...d6.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-09-2021 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bacd5989c0f8aebcceb4f6268ed626d587d324c91ab45799c5c05d03f196e1d6.exe

  • Size

    852KB

  • MD5

    41deb852009dee8341b1862142c45e79

  • SHA1

    29d04c1ab468338690fd75e11a595ba3a52a0b11

  • SHA256

    bacd5989c0f8aebcceb4f6268ed626d587d324c91ab45799c5c05d03f196e1d6

  • SHA512

    d5eb21bca7661ec9d1ae35f804b8c0e5282db2ebab3bfb5f85bee45323a38418021143b71e1b1d6dc66592c81034d6657315923ddb9db678d3956b1ed23e905d

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

20.203.178.116:2070

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bacd5989c0f8aebcceb4f6268ed626d587d324c91ab45799c5c05d03f196e1d6.exe
    "C:\Users\Admin\AppData\Local\Temp\bacd5989c0f8aebcceb4f6268ed626d587d324c91ab45799c5c05d03f196e1d6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    ab5c36d10261c173c5896f3478cdc6b7

    SHA1

    87ac53810ad125663519e944bc87ded3979cbee4

    SHA256

    f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

    SHA512

    e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    553880ec4ff6ecb1093944d2418feaf8

    SHA1

    d7591b44a2c0eadc4b551bc7410dbb74de58f8f1

    SHA256

    97e10014e3a67177d84564d6ef7bf8111e587569f50f838e553d850b603d97e0

    SHA512

    8e674357d839b7bb9bdd6813a917fb229857a47ec755efed0c796ca06a4c6995740521bbce7a643548bd54c27c5f5c3bdeb650b6f3cfede3680b434aa9069338

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
    MD5

    1438bd6950d90e091a4903cfcf1e15ba

    SHA1

    6bf85172675487920b4c50778d5fa843f6d878ae

    SHA256

    ce679775c43e449406ba3dcc1a37a2324365056db60923a9bf888afff51c551e

    SHA512

    2a24a30172e18bdb81692c95f3c1ee37a26e8d57959d20cb7e6545660d97bb02aa859c39ef3c28555920ebb273b3747412de3e8809b42e04589dc9e8eb039642

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\05CDRG9F.txt
    MD5

    a795e150d58c70e2141f50d81c11d4ab

    SHA1

    57d5b3b8355f6550e45c4155c33d83db46f95d7e

    SHA256

    7388c903fea1ed131ca2011d821c8df16845d206836373746f9d18d3df95bdf0

    SHA512

    911b142d8e88735796d6de2e09b0ee8baa2a225dc945f96d1a72e1c3403fc384b36d10755a5427cf2f5842e4de65c9ad88ec09e0ba4ab17c5addbb61bb8f3b93

    Download Submit

  • memory/468-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1376-54-0x0000000076A81000-0x0000000076A83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1652-55-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1652-56-0x000000000040C70E-mapping.dmp

    Download

  • memory/1696-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1696-59-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

    Filesize

    8KB

    Download